Hi, I am after recommendations for good PE decompiler protection software, I am about to deploy an exe with sensitive information such as passwords in the source code, I have already packed the exe using UPX and manually altered the header information but a decompiler called PE Explorer still manages to decode the strings in the exe file, I have to stop this! Any recommendations would be much appreciated, Many Thanks Xscript

Storing the password in a .exe file is never a good idea. however if you must, then store the password encrypted. When your user enters the password the same algorithm is run on the entered password as was used to encrypt the stored password. If they match fine, if not... Look up MD5 on google. There are plenty of examples available. MD5 is a one way algorithm that is perfect for this type of encryption. Stuart

Thanks Stuart, The password is used in a connection string, so what I have decided to do is store the string in an encrypted format and then the program decrypts it when it needs to use it for the connection string, I guess this is not the most secure way of operating, but my main objective is to stop the opportunistic user from easily obtaining the password using free internet tools. I can't think of any other way of doing this. Is it any safer to decrypt the password in a module rather than on the form? I've never had to protect my programs in this manner before. Thanks Xscript

You don't need to de-crypt the connection string at all. The user enter the connection string. The connection string entered by the user is then encrypted. This encrypted string is then compared to the encrypted version stored in the .exe. If they match then the string entered by the user is then used to make the connection. The only time the password or connection string exists in its un-encrypted form is when the user enters it. It is more usual to store encrypted passwords in the registry. This is how most password systems are implemented. Only the encrypted version is stored. MD5 and other encryption schemes like CRC do not allow for decryption which is what makes them more secure. Stuart

Hi, I see your point, however, there is no user, the password is stored in the application so that the app can manipulate the database, but people are not able to manually gain entry because they do not know the password. Thanks Xscript

If the string is stored in the EXE and you want it to be hidden, it has to be encrypted. If it has to be decrypted then you need to incorporate the decryption code in the EXE. Sooner or later having the two together will lead the string being hacked. It really depends on how much time and effort it is worth. There are ways of obfuscating code that will defeat a decompiler, but it wont work with strings. Stuart

Hi, use the registry, the password should never be in the program at all. It must be decrypted and compare to the registry key. If the password is in the exe, you cannot stop it from hacking. dues,